I am trying to identify which active directory users are able to federate to AWS IAM roles. Where is the mapping from Windows Active Directory to IAM Roles stored? Is this stored within IAM or a file outside of AWS?
I have identified the AWS roles which are federated to but can't identify which active directory users are able to log in using those roles.
There is no way to get this information from AWS. This mapping is done in your SAML solution. It is common to map AWS role with AD group, if you know the group you can see who is member, these members are the ones with access to this role.
Related
I'm a newbie and was looking for some help.
How do I list all grantable roles within my GCP environment at the organization level?
I am using...
gcloud iam list-grantable-roles
but everywhere I read it says I must specify the resource I want to check. I want it to check all resources.
Thank you for help!
Roles can be used in two ways. Applied to identities and applied to resources. When applied to resources (your example) you must specify the resource because resources only support a subset of all possible roles. For example, it makes no sense to apply a Compute Engine role to a Cloud Storage object.
To list all possible roles for an organization:
gcloud iam roles list --organization ORG_ID
I'm trying to apply the 'Application Administrator'role to a service principal to allow it to create other service principals in AD. I would have assumed that having the ability to manage all aspects of app registrations etc as explained in the docs here: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/users-groups-roles/directory-assign-admin-roles.md would have allowed me to do this but i still cannot create new service principals in this way?
It looks as if it has created when looking in AD App Registrations but errors out with insufficient privileges
I have tried several approaches through bash & powershell, trying to create the AD application first then creating a service principal from that application id, also tried with the 'Global Admin' role and that works as expected however we're trying to limit as much as possible.
The command i'm trying to run in bash is
az ad sp create-for-rbac -n $spn_name --skip-assignment
And the equivalent in powershell
New-AzAdServicePrincipal -ApplicationId $appid
From an SPN with only the 'Application Administrator' role assigned.
Creating service principal failed for appid 'http://test-spn1'. Trace followed:
{Trace JSON}
Insufficient privileges to complete the operation.
To grant an application the ability to create, edit and delete all aspects of apps (both Application objects and ServicePrincipal objects, represented in the portal under App Registrations and Enterprise Apps, respectively), you should consider the following two app-only permissions (instead of the directory role):
Application.ReadWrite.All - Create Application and ServicePrincipal objects and manage any Application and ServicePrincipal objects.
Application.ReadWrite.OwnedBy - Create Application and ServicePrincipal objects (and automatically get set as owner), and manage Application and ServicePrincipal objects it is owner of (either because it created them, or because it was assigned as an owner).
These permissions are pretty close to what the Application Administrator directory role allows for users. They're available for both Azure AD Graph API (which is the API used by the Azure CLI, the Azure AD PowerShell module (AzureAD), and the Azure PowerShell module (Az)), and Microsoft Graph API (which you should not use for production scenarios, as the application and servicePrincipal entitles are still in beta). The permissions are documented here:
* https://learn.microsoft.com/graph/permissions-reference#application-resource-permissions
Warning: Both of these permissions are very high privilege. By being able to manage Application and ServicePrincipal objects, they can add credentials for those objects (keyCredentials and passwordCredentials) and in doing so, exercise any access which has been granted to those other apps. If an app granted Application.ReadWrite.All is compromised, pretty much all apps are compromised.
I have a small group of people using AWS services.
When we first started, I mistakenly created EC2 instances under the root account, instead of creating them as an individual IAM user.
Now none of the IAM users can see those EC2 instances in the EC2 management portion of the AWS web console. The only way to see them is to log in as the AWS root account user.
Is there any way to make these EC2 instances visible to the IAM users?
AWS has documentation describing how to make instances visible to other accounts, but the same instructions don't seem to apply to this scenario.
The default policy for a IAM user is deny all services on AWS. So you have to provide appropriate permission for the IAM user. Generate policy using this website or assign AWS managed policies to the user.
You can get the information about attaching a policy to an IAM user on the document
You can create a read-only group for EC2 instances by following these steps:
Create a new group which will have all read-only users for EC2
Select and attach the predefined policy AmazonEC2ReadOnlyAccess from the list when creating the new group
Put all the IAM users to this newly created group
One of my clients wants to understand IAM feature before migrating business application to Amazon cloud.
I have figured out two use cases which we can recommend to our client, these are:
Resource-Level Permissions for EC2
• Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
• Control which users can terminate which instances.
• Restricting a user access to a single EC2 instance ( currently not supported by amazon API’s)
IAM Roles for Amazon ec2 resources
Command Line Usage
• Unix/Linux/Windows - Use the AWS Command Line Interface, which is a unified tool to manage the AWS services. We can access the Command Line Interface using the EC2 instance launched with IAM role support without specifying the credentials explicitly.
Programmatic Usage
• Use the appropriate AWS SDK for your language of choice. Configure it without specifying the credentials.
I would like to know other capabilities of IAM which we can recommend to our client and other use cases which you can recommend to us. Please let us know if any further explanation is required.
Any prompt response will be highly appreciated.
Thanks in advance
This is a very useful feature of AWS !
User Management - If you are a large team, you will have to give different users (or developers/testing, deployment) different type of permissions. Access levels like (say S3 read-only, DynamoDB full-access etc).
Manage Users : http://aws.amazon.com/iam/details/manage-users/
Not to keep credentials in code. Is you use IAM roles, you can mention that say an EC2 should work on this role. This will help you achieve things like "cluster with only access to S3, not DB")
IAM Roles for Amazon EC2 - Amazon Elastic Compute Cloud : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Handle Release staging. This is a benefit from the ROLE. You move apps from dev, qa, staging and prod. I usually keep different accounts for this. In this case, if you configure the EC2 to run on roles, then the stage difference can be handled witout code change. Just move the build from one account to another, and it works with no risk!
Lot of other benefits;
Product Details : http://aws.amazon.com/iam/details/
Is it possible to setup separate accounts using Amazon's IAM service what would allow two different users to access the Amazon web dashboard/console? I'd like a separate account that can access these pages but I'd prefer not to have to give away the keys to the kingdom to do so.
If so can IAM policies be specified to allow restrict what the user can do with the console?
I've written a short howto on adding an ec2 user, it is similar for most policies.
URL:
http://www.corbettbaker.com/blog-posts/creating-aws-user-ec2-only-permissions
Basically, replace ec2user with whatever you want the user name to be.
-CB